In this webinar, we covered topics including planning for future disruptions, incident management, operational resilience, and data analytics. Read the Q&As and polling results from our live webinar with Richard Waterer from Aon.
Over 800 risk professionals joined Richard Waterer, Managing Director EMEA for Aon, and David Tattam, Director of Research and Training from The Protecht Group, in our live webinar "Managing Disruption – The keys to riding the storm".
Richard and David shared their insights on the importance of planning and being adequately prepared for disruption, and the key elements in managing a disruption. The role of risk management in being resilient to disruption was also addressed.
We believe connecting like-minded risk management professionals to share ideas will help shape the future of risk management. Hence, we would like to share the Q&As, polling results and post-webinar survey of this webinar with you in this article.
1. Given the increasingly interconnected world, is traditional Business Continuity management becoming redundant?
Richard Waterer: Great question. I think there is a huge place for Business Continuity Management still. I would define BC as understanding the assets and resources that matter most to an organisation and seeking to protect the availability of those assets and resources - almost irrespective of the incident that has taken place. With that said, we've learned a lot about the value of traditional Business Continuity plans in an event that can affect multiple companies, sometimes not even consigned to an individual geography.
A lot of plans will contain assumptions about recovery, either assumptions about the ability of partners or suppliers to be available or the assumption about customers to be there and ready to receive your products and services. This pandemic certainly tested how we think about Business Continuity Management but as we think about more traditional events such as the loss of a facility or an asset or maybe a key person or team, a lot of these founding principles remain the same.
Although we focus less on threats and more on impacts with BCM, we are going to be seeing considerable changes to the way companies operate. Whether that's home working or re-engineering supply chains. The BCM events that are more likely to drive those losses if they're not managed or are unprepared may well change so that will likely require more focus.
2. I have never heard the term "Black Swan event". Please kindly explain it.
David Tattam: "Black Swan event" is a very, very low likelihood but highly catastrophic event. The term is from a book written by Nassim Nicholas Taleb. The "Black Swan: The Impact of the Highly Improbable". While I'm at it, you should also read the book "The Gray Rhino" by Michele Wucker, which is more about the incidents that are predictable but we tend to ignore them until it's too late. I would argue that COVID-19 was in fact a grey rhino rather than a black swan.
Almost half of the attendees from our live session say that high-impact risks are managed well in their organisation,
while 44% say that only the obvious ones are managed OK.
3. You mentioned that in previous pandemic scenario analyses, government intervention was not assessed accurately. Now we have seen the level of government intervention, is there a danger of extreme risks being viewed as the government's responsibility not the organisation?
David Tattam: Interesting question! Firstly, in the majority of scenario analyses for pandemics prior to COVID-19, there was definitely a lack of/erroneous assumptions regarding how governments would react. With hindsight, it always seems more obvious as to what government and authority response would be to a highly infections pandemic but our scenario analysis assumptions just didn’t get it right. We always learn from experience and I am sure all pandemic and public related health scenarios will now have much more realistic assumptions regarding government response.
Secondly is the implication for future pandemics. Given the enormous government influence in attempting to deal with the pandemic there could be a feeling of individual organisations being powerless and therefore “leave it to the government”. This would be a grave mistake. There is much that an organisation can do to maximise its resilience to future shocks and also planning for the war room operation when it does occur. Government and authority response becomes an external driver to the organisation. In many ways government response should be considered the cause of many additional organisational risks (inability to carry out business etc.) and the organisation needs to be clear what it can and cannot influence and it focuses on what is within its control and manages that accordingly.
38% of the live webinar attendees hold a positive view of how their government has managed the COVID-19 crisis.
4. Has the role of Big Data/Machine Learning met expectations on early warning systems? Is there more evolution of this to come?
David Tattam: Great question. No, I don't believe that the role of Big Data or machine learning has met expectations in any way or form yet. Big Data kind of felt like the internet bubble for a while in terms of what it was going to deliver and I think it disappointed in a way. I think what we've come back from the Big Data revolution to a more realistic position of taking the data that is available and turning it into usable intelligence. I believe there is a huge role for increased data usage, particularly around the early warning systems to give these risks more prominence.
5. How do we ensure that the risks that are not in our top 10/15/20 get adequately looked at and is there a need to revisit the risk assessment methodology for assessing them? Is there another parameter required?
David Tattam: I would argue this goes very strongly with the question on big data. As we get more forward looking risk metrics and indicators that enable us to assess risks in a more sophisticated way this will bring these low likelihood, big impact risks to the fore, so that we are more prepared in the future. It's also worth mentioning that we've got a series of risk management futurist webinars starting in August and certainly Big Data and Machine Learning will be discussed.
6. Good crisis management is not just about how you manage the event but how you're seen to manage the event. In light of this, are companies doing enough to manage their risks to reputation?
Richard Waterer: My short answer would be, probably not. In my experience, there has been two lenses through which a lot of companies have started to think about reputational risk management. One is through asking, are they prepared for crises and can they manage the crises and create a positive response without creating further damage if it's mismanaged. There has been a lot of focus on that for some years now. We also see when companies are evaluating risks in their risk register, they tend to use a series of indicators which are much broader than pure financial impacts today and they may well on apply a reputational impact. But in my experience, often those reputational impacts can be sort of relatively high level and don't really create additional insights for the company that's assessing it.
So where I see this being done well is in companies that almost have gone to the next stage of that process and thought about how they can map out those reputational risk scenarios that may not lead to short-term financial impact, that may lead to a longer-term erosion of either relevance or market share or indeed share price performance. The key in doing that is understanding, what are the values that the company trades by? and therefore what are the events that would most compromise their ability to be seen to be upholding those values.
There's also a big bit of stakeholder engagement required that perhaps traditional risk management functions wouldn't think as broadly as, so you're getting rid of very wide stakeholder community. Typically, the big reputation events are the ones that compromise those values and also have the ability to negatively impact a wide group of stakeholders. It's all about understanding those events and spending as much time as possible in building out what they might look like, what they might end up costing so you can invest in them appropriately.
Majority of the webinar attendees believe that their organisation has managed the COVID-19 crisis well or very well.
5. How does Dynamic risk reporting work? Are we integrating GRC tool with other technologies to obtain data in real time? Can you share any examples?
David Tattam: At Protecht, we refer to dynamic risk reporting as “Risk in Motion™”. This is literally recognising the dynamic nature of risk, how quickly it can change and therefore the need for more dynamic, real time and forward looking reporting.
The principles for how it works is:
An example is provided below:
The same principle applies for any other risk dimension such as:
You can also view the following which will provide more guidance:
6. Where third-party risk is present - how do we move away from reliance on ingrained "on site" interactions (audits/performance review meetings/cyber control testing) to alternatives? I have found that not being able to gain access being "on site" with third parties has shown weaknesses in controls we had not previously identified (access to site was a reasonable assumption).
David Tattam: Third-party risk management is a rapidly developing area, not least because of the ever growing realisation as to the level of risk posed by our supply chains and in particular key suppliers. This involves the obvious risk of third-party performance and failure but also modern slavery and the need to know our suppliers.
The traditional approach of “on-site” interactions and audits has the problems of permissions to carry these out and the high cost involved.
The future is really about remote monitoring of third parties. These can be achieved in two main ways.
This remote approach is much more efficient and agile. When the data raises concerns this should prompt direct inquiry and this may involve third party site visit and audits but these would be on a much less frequent basis and be targeted based on the risk information and analysis already carried out.
Attendees showed great confidence in their businesses facing the disruption caused by COVID-19
with 89% saying they will either recover or be stronger than before.
Here's how our attendees responded when we posed the question: "What do you see as the most likely and profound impact of COVID-19 on the future of risk management?"
One of the common themes from the survey responses is the increased relevance and importance of risk management in organisations as a whole:
Black Swan events refer to events with a very low likelihood but highly catastrophic impact.
Several responses also referenced more awareness of low likelihood but high impact events as well as predictable incidents that are often ignored:
Some respondents also stressed the effects of the pandemic in pushing organisations to review their readiness, ability to respond quickly and their overall business resilience:
We've got you covered! Click the link below to get access to the webinar recording and presentation slides.
Browse our knowledge centre for more resources on risk such as risk management goals and risk management opportunities.
Get the latest thought leadership on risk, compliance, health and safety and internal audit industry trends, challenges, methodologies, and insights. You will receive notifications directly in your inbox once a month.
Learn how you can engage your users and manage the full life-cycle of risk management within one system.
